Hi
Am 2026-04-15 22:09, schrieb Andrey Andreev:
- It is clearly aiming for default of 1 and unreasonably expects all
codebases to be (meticulously) updated with SensitiveParameter
attribute -
that is "opt-in security" and not secure by default
There is no stack trace here, which means that the only functions that
are affected by this RFC are native functions. Userland functions
calling `trigger_error()` don't show the function name. All the native
functions in php-src that handle sensitive inputs have been adapted
right with the introduction of the #[\SensitiveParameter] attribute in
PHP 8.2 - and if some are missing, I would consider that a pre-existing
bug that needs fixing.
And even if this wasn't the case, the ecosystem has widely adopted the
attribute in the 4 years since its introduction, which was easily
possible since attributes are fully backwards and forwards compatible
with all PHP versions (including PHP versions that do not yet support
attributes).
Best regards
Tim Düsterhus
